CORS request not http #184

Closed
opened 2 years ago by Marc05 · 7 comments
Marc05 commented 2 years ago

I use the addons Privacy-Oriented Origin Policy and uBlock Origin along with this addon; I get the following message in the Firefox browser console:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at moz-extension://8146191d-bdfd-4528-86de-1dc69c3b0507/resources/fontawesome/5.15.1/css/all.min.css. (Reason: CORS request not http).
This is probably because I need rules in POOP like there are for uBlock Origin, however, I'm not sure.

I use the addons Privacy-Oriented Origin Policy and uBlock Origin along with this addon; I get the following message in the Firefox browser console: `Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at moz-extension://8146191d-bdfd-4528-86de-1dc69c3b0507/resources/fontawesome/5.15.1/css/all.min.css. (Reason: CORS request not http).` This is probably because I need rules in POOP like there are for uBlock Origin, however, I'm not sure.
Poster

Adding 0:: ^moz-extension://* to the whitelist in POOP worked. Perhaps this can be referenced somewhere in the LocalCDN settings (e.g. under "Generate rule sets for your adblocker").

Adding `0:: ^moz-extension://*` to the whitelist in POOP worked. Perhaps this can be referenced somewhere in the LocalCDN settings (e.g. under "Generate rule sets for your adblocker").
Owner

Thanks for your information. Do you know a website where this works? My previous tests have failed. It also depends on the webserver.

Thanks for your information. Do you know a website where this works? My previous tests have failed. It also depends on the webserver.
Poster

I was trying it on dndbeyond.com but I can no longer reproduce it. I don't even see the fontawesome url being used when in the Network tab.

Additionally, perhaps this is relevant:
https://bugzilla.mozilla.org/show_bug.cgi?id=1419459

I was trying it on dndbeyond.com but I can no longer reproduce it. I don't even see the fontawesome url being used when in the Network tab. Additionally, perhaps this is relevant: https://bugzilla.mozilla.org/show_bug.cgi?id=1419459
nobody added the
question/discussion
label 2 years ago
Owner

I don’t even see the fontawesome url being used when in the Network tab.

Have you disabled the cache?

Additionally, perhaps this is relevant: https://bugzilla.mozilla.org/show_bug.cgi?id=1419459

I know the bugreport. It's about detecting a CORS error and handling it inside the extension, e.g. allowing a request to a CDN. This is currently not possible because an extension doesn't know if it is a CORS error.

> I don’t even see the fontawesome url being used when in the Network tab. Have you disabled the cache? > Additionally, perhaps this is relevant: https://bugzilla.mozilla.org/show_bug.cgi?id=1419459 I know the bugreport. It's about detecting a CORS error and handling it inside the extension, e.g. allowing a request to a CDN. This is currently not possible because an extension doesn't know if it is a CORS error.
Poster

I'm using arkenfox user.js which disables many things, though I did re-enable browser.cache.disk.enable. Perhaps there's something else there that's blocking it.

I'm using arkenfox user.js which disables many things, though I did re-enable `browser.cache.disk.enable`. Perhaps there's something else there that's blocking it.
Owner

Last time (June 2020) when I was looking for a way to manipulate the HTTP header, I couldn't find a way to do that. I also tested Privacy-Oriented Origin Policy and Laboratory. Both did not work.

In the end it is a security mechanism that is very good. You can probably disable the CORS behavior in Firefox Nightly and/or Beta in about:config, but then it's global for all websites. This is very bad for security.

If you have new information, please reopen this issue.

Last time (June 2020) when I was looking for a way to manipulate the HTTP header, I couldn't find a way to do that. I also tested [Privacy-Oriented Origin Policy](https://addons.mozilla.org/de/firefox/addon/privacy-oriented-origin-policy/) and [Laboratory](https://addons.mozilla.org/de/firefox/addon/laboratory-by-mozilla/). Both did not work. In the end it is a security mechanism that is very good. You can probably disable the CORS behavior in Firefox Nightly and/or Beta in `about:config`, but then it's global for all websites. This is very bad for security. If you have new information, please reopen this issue.
nobody added the
sop/cors
label 2 years ago
nobody closed this issue 2 years ago
nobody added the
observation
label 2 years ago
nobody added the
duplicate
label 2 years ago
nobody removed the
observation
label 1 year ago
Owner
see [#369 Information about SOP/CORS related issues](https://codeberg.org/nobody/LocalCDN/issues/369)
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

No dependencies set.

Reference: nobody/LocalCDN#184
Loading…
There is no content yet.